Secure Nutanix with cnspec

Scan Nutanix Prism Central environments against security and compliance best practices with cnspec.

Scan your Nutanix environment through Prism Central to find security risks before they become incidents. cnspec evaluates clusters, hypervisor hosts, virtual machines, storage containers, networks, and IAM users, groups, and roles. It needs no agents installed on your infrastructure.

New to cnspec? Read the Quickstart to install cnspec and run your first scan. To scan other platforms, see the cloud scanning overview.

Prerequisites

To scan Nutanix with cnspec, you must have:

cnspec installed on your workstation
A Nutanix Prism Central instance
Credentials to authenticate (either a username and password or an IAM API key)
Network access from your workstation to the Prism Central API (port 9440 by default)

Authenticate

cnspec connects to Prism Central and supports two authentication methods.

Basic authentication

Use a Prism Central username with a password. Use an account that has at least read-only permissions on the resources you want to scan. To avoid putting the password on the command line, use --ask-pass and cnspec prompts you for it.

IAM API key

Use an IAM API key for service-account authentication by passing --api-key.

Connection flags

Flag	Description
`--endpoint`	Prism Central host: IP address or FQDN (required)
`--port`	Prism Central API port (default `9440`)
`--user`	Username for basic authentication
`--password`, `-p`	Password for basic authentication
`--ask-pass`	Prompt for the connection password
`--api-key`	IAM API key for service-account authentication
`--insecure`, `-k`	Skip TLS certificate verification

If your Prism Central instance uses a self-signed certificate, add --insecure (or -k) to skip TLS verification.

Verify with a quick Nutanix check

Confirm that cnspec can reach your Nutanix environment:

cnspec run nutanix \
  --endpoint pc.example.com \
  --user admin \
  --ask-pass \
  -c 'nutanix.clusters != empty'

Scan Nutanix

Scan your Nutanix environment with basic authentication:

cnspec scan nutanix \
  --endpoint pc.example.com \
  --user admin \
  --ask-pass

Or authenticate with an IAM API key:

cnspec scan nutanix \
  --endpoint pc.example.com \
  --api-key API_KEY

When the scan completes, cnspec prints each check with a pass or fail result and an overall risk score from 0 (no risk) to 100 (highest risk). To learn how to read a report in depth, see Understand Scan Results.

Scan with the Mondoo Nutanix Security policy

Mondoo maintains an out-of-the-box Nutanix Security policy that checks your Prism Central environment against security best practices. It evaluates cluster encryption at rest and in transit, SSH authentication, remote support access, redundancy and fault tolerance, host UEFI Secure Boot and IPMI credentials, virtual machine guest tools and backup coverage, identity and access management (LDAPS, SAML signing, and stale account detection), and storage container encryption, CHAP authentication, and replication factors. Its checks map to compliance frameworks including NIST CSF, ISO 27001, PCI DSS, and HIPAA.

Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "Nutanix", and add the policy. All future scans of your Nutanix environment automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan nutanix \
  --endpoint pc.example.com \
  --api-key API_KEY \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-nutanix-security.mql.yaml

Apply your own policies

You can also write your own policies to check your Nutanix environment against your specific security and compliance requirements, then pass the bundle to cnspec:

cnspec scan nutanix \
  --endpoint pc.example.com \
  --api-key API_KEY \
  --policy-bundle my-nutanix-policy.mql.yaml

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell nutanix \
  --endpoint pc.example.com \
  --api-key API_KEY

Cluster overview

cnspec> nutanix.clusters { name version nodeCount vmCount redundancyFactor isAvailable }

Inspect cluster security settings

cnspec> nutanix.clusters {
  name
  isRemoteSupportEnabled
  isPasswordRemoteLoginEnabled
  encryptionInTransitStatus
}

List hypervisor hosts with hardware information

cnspec> nutanix.hosts { name hypervisorType hypervisorFullName cpuModel cpuCores memorySizeBytes }

List virtual machines

cnspec> nutanix.vms { name powerState memorySizeBytes numSockets numCoresPerSocket }

Find powered-on VMs without guest tools

cnspec> nutanix.vms.where(powerState == "ON") { name guestTools }

Audit storage container encryption

cnspec> nutanix.storageContainers { name isEncrypted isCompressionEnabled replicationFactor }

Review networks and NAT configuration

cnspec> nutanix.subnets { name subnetType isExternal isNatEnabled ipPrefix }

Audit IAM users

cnspec> nutanix.users { username displayName userType status lastLoginTime }

Inspect roles and their assignments

cnspec> nutanix.roles { displayName isSystemDefined assignedUsersCount assignedUserGroupsCount }

Learn more

Nutanix Resource Pack Reference: every Nutanix resource and field cnspec can query
Write Effective MQL: a guide to authoring checks and queries

Secure Nutanix with cnspec

On this page